package no.nav.sbl.dialogarena.common.abac.pep;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import no.nav.sbl.dialogarena.common.abac.pep.domain.Attribute;
import no.nav.sbl.dialogarena.common.abac.pep.domain.ResourceType;
import no.nav.sbl.dialogarena.common.abac.pep.domain.request.AccessSubject;
import no.nav.sbl.dialogarena.common.abac.pep.domain.request.Action;
import no.nav.sbl.dialogarena.common.abac.pep.domain.request.Environment;
import no.nav.sbl.dialogarena.common.abac.pep.domain.request.Request;
import no.nav.sbl.dialogarena.common.abac.pep.domain.request.Resource;
import no.nav.sbl.dialogarena.common.abac.pep.domain.request.XacmlRequest;
import no.nav.sbl.dialogarena.common.abac.pep.domain.response.BiasedDecisionResponse;
import no.nav.sbl.dialogarena.common.abac.pep.domain.response.Decision;
import no.nav.sbl.dialogarena.common.abac.pep.domain.response.XacmlResponse;
import no.nav.sbl.dialogarena.common.abac.pep.exception.AbacException;
import no.nav.sbl.dialogarena.common.abac.pep.exception.PepException;
import no.nav.sbl.dialogarena.common.abac.pep.service.AbacService;
import no.nav.sbl.dialogarena.common.abac.pep.utils.SecurityUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:no/nav/sbl/dialogarena/common/abac/pep/PepImpl.class */
public class PepImpl implements Pep {
    private static final int NUMBER_OF_RESPONSES_ALLOWED = 1;
    private static final boolean failOnIndeterminateDecision = true;
    private final AbacService abacService;
    private final AuditLogger auditLogger = new AuditLogger();
    private static final Bias bias = Bias.Deny;
    private static final Logger LOG = LoggerFactory.getLogger(PepImpl.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:no/nav/sbl/dialogarena/common/abac/pep/PepImpl$Bias.class */
    public enum Bias {
        Permit,
        Deny
    }

    public PepImpl(AbacService abacService) {
        this.abacService = abacService;
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse isServiceCallAllowedWithOidcToken(String str, String str2, String str3) throws PepException {
        validateFnr(str3);
        return isServiceCallAllowed(SecurityUtils.extractOidcTokenBody(str), null, str2, str3, ResourceType.Person);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse isServiceCallAllowedWithIdent(String str, String str2, String str3) throws PepException {
        validateFnr(str3);
        return isServiceCallAllowed(null, str, str2, str3, ResourceType.Person);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse isSubjectAuthorizedToSeeKode7(String str, String str2) throws PepException {
        return isServiceCallAllowed(SecurityUtils.extractOidcTokenBody(str), null, str2, null, ResourceType.Kode7);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse isSubjectAuthorizedToSeeKode6(String str, String str2) throws PepException {
        return isServiceCallAllowed(SecurityUtils.extractOidcTokenBody(str), null, str2, null, ResourceType.Kode6);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse isSubjectAuthorizedToSeeEgenAnsatt(String str, String str2) throws PepException {
        return isServiceCallAllowed(SecurityUtils.extractOidcTokenBody(str), null, str2, null, ResourceType.EgenAnsatt);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse isSubjectMemberOfModiaOppfolging(String str, String str2) throws PepException {
        return isServiceCallAllowed(SecurityUtils.extractOidcTokenBody(str), null, str2, null, ResourceType.VeilArb);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse harInnloggetBrukerTilgangTilPerson(String str, String str2, Action.ActionId actionId, ResourceType resourceType) throws PepException {
        validateFnr(str);
        return harTilgang(nyRequest().withFnr(str).withAction(actionId).withDomain(str2).withResourceType(resourceType));
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse harInnloggetBrukerTilgangTilPerson(String str, String str2) throws PepException {
        return harInnloggetBrukerTilgangTilPerson(str, str2, Action.ActionId.READ, ResourceType.Person);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public void ping() throws PepException {
        if (createBiasedDecision(this.abacService.askForPermission(XacmlRequestGenerator.getPingRequest()).getResponse().get(0).getDecision()).equals(Decision.Permit)) {
        } else {
            throw new PepException("Ping failed");
        }
    }

    private BiasedDecisionResponse isServiceCallAllowed(String str, String str2, String str3, String str4, ResourceType resourceType) throws PepException {
        return harTilgang(buildRequest().withOidcToken(str).withSubjectId(str2).withDomain(str3).withFnr(str4).withResourceType(resourceType));
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public RequestData nyRequest() throws PepException {
        return buildRequest().withSamlToken(SecurityUtils.getSamlToken().orElse(null)).withOidcToken(SecurityUtils.getOidcToken().orElse(null));
    }

    private RequestData buildRequest() {
        return new RequestData().withCredentialResource(getCredentialResource());
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse harTilgang(RequestData requestData) {
        return harTilgang(new XacmlRequestGenerator().makeRequest(requestData));
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse harTilgang(Request request) throws PepException {
        this.auditLogger.logRequestInfo(request);
        XacmlResponse askForPermission = askForPermission(new XacmlRequest().withRequest(request));
        if (askForPermission.getResponse().size() > 1) {
            throw new PepException("Pep is giving " + askForPermission.getResponse().size() + " responses. Only 1 is supported.");
        }
        Decision decision = askForPermission.getResponse().get(0).getDecision();
        Decision createBiasedDecision = createBiasedDecision(decision);
        if (decision == Decision.Indeterminate) {
            throw new PepException("received decision " + decision + " from PDP. This should never happen. Fix policy and/or PEP to send proper attributes.");
        }
        this.auditLogger.logResponseInfo(createBiasedDecision.name(), askForPermission, request);
        return new BiasedDecisionResponse(createBiasedDecision, askForPermission);
    }

    @Override // no.nav.sbl.dialogarena.common.abac.pep.Pep
    public BiasedDecisionResponse harTilgangTilEnhet(String str, String str2, String str3) throws PepException {
        return harTilgang(lagHarTilgangTilEnhetRequest(str, str2, str3));
    }

    private Request lagHarTilgangTilEnhetRequest(String str, String str2, String str3) {
        Environment environment = new Environment();
        environment.addAttribute(new Attribute(NavAttributter.ENVIRONMENT_FELLES_OIDC_TOKEN_BODY, SecurityUtils.getOidcToken().orElse(null)));
        environment.addAttribute(new Attribute(NavAttributter.ENVIRONMENT_FELLES_PEP_ID, str2));
        Action action = new Action();
        action.addAttribute(new Attribute(StandardAttributter.ACTION_ID, "READ"));
        AccessSubject accessSubject = new AccessSubject();
        Resource resource = new Resource();
        resource.addAttribute(new Attribute(NavAttributter.RESOURCE_FELLES_RESOURCE_TYPE, NavAttributter.RESOURCE_FELLES_ENHET));
        resource.addAttribute(new Attribute(NavAttributter.RESOURCE_FELLES_ENHET, str));
        resource.addAttribute(new Attribute(NavAttributter.RESOURCE_FELLES_DOMENE, str3));
        return new Request().withEnvironment(environment).withAction(action).withAccessSubject(accessSubject).withResource(resource);
    }

    private String getCredentialResource() throws PepException {
        return this.abacService.getAbacServiceConfig().getUsername();
    }

    private void validateFnr(String str) {
        if (StringUtils.isNumeric(str) && str.length() == 11) {
            return;
        }
        String str2 = "Fnr " + str + " is not valid";
        LOG.error(str2);
        throw new IllegalArgumentException(str2);
    }

    private XacmlResponse askForPermission(XacmlRequest xacmlRequest) throws PepException {
        try {
            return this.abacService.askForPermission(xacmlRequest);
        } catch (UnsupportedEncodingException e) {
            throw new PepException("Cannot parse object to json request. ", e);
        } catch (IOException | NoSuchFieldException e2) {
            throw new PepException(e2);
        } catch (AbacException e3) {
            throw new PepException(e3);
        }
    }

    private Decision createBiasedDecision(Decision decision) {
        switch (decision) {
            case NotApplicable:
                return Decision.valueOf(bias.name());
            case Indeterminate:
                return Decision.valueOf(bias.name());
            default:
                return decision;
        }
    }
}
